Configuring OS user and group authorization  Configuring listeners

Chapter 13: Security Configuration Tasks

Configuring security profiles

Security profiles define the security characteristics of a client-EAServer session. You assign a security profile to a listener, which is a port that accepts client connection requests of various protocols. EAServer can support multiple listeners. Clients that support the same characteristics can communicate to EAServer via the port defined in the listener.

Each security profile has an associated security characteristic. A security characteristic is a name that has a set of cipher suites associated with it. A security characteristic, along with the cipher suites, defines these characteristics of a client/server connection:

For example, the cipher suite SSL_RSA_WITH_NULL_MD5 can be interpreted as:

SSL – the protocol used. All profiles use SSL.

RSA – the key exchange algorithm used.

NULL – no encryption.

MD5 – the hash method used to compute the message digest.

Table 13-1 and Table 13-2 clarify the relationship between cipher suite terminology and security characteristics.

Table 13-1: Cipher suite terms

Name

Defines

Description

SSL

Protocol

SSL protocol uses public-key encryption to establish secure Internet communications.

RSA DH_anon

Key exchange algorithm

RSA and DH (Diffie-Hellman) are public-key cryptography systems, which define both authentication and encryption:

  • RSA provides full encryption and authentication support.

  • DH_anon provides only encryption support.

EXPORT

Suitable for export

Because of export regulations, some CipherSuites are not suitable for export. Only CipherSuites that contain the word EXPORT are suitable for international use.

NULL

No encryption

Data is not encrypted.

DES 3DES DES40 RC4_40 RC4_128

Encryption algorithms

System: Key length:

DES 56 3DES 168 DES40 40 RC4_40 40 RC4_128 128

The greater the key length, the greater the encryption strength.

EDE CBC

Encryption and decryption modes

CBC and EDE are modes by which DES algorithms are encrypted and decrypted.

SHA MD5

Hash function

SHA and MD5 are hash methods used to compute the message digest when generating a digital signature.

Note Browsers do not support anonymous cipher suites.


Security characteristics

There are four categories of security characteristics:

Table 13-2 lists the name, the level of authentication, and the supported cipher suites for each security characteristic. Table 13-1 describes the cipher suites listed here.

Table 13-2: Security characteristics

Name of characteristic

Authenticates

Cipher suites

sybpks_simple

server

SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_NULL_MD5

sybpks_simple_mutual_auth

client/server

SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_NULL_MD5

sybpks_strong

server

SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5

sybpks_strong_mutual_auth

client/server

SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5

sybpks_intl

server

SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_NULL_MD5

sybpks_intl_mutual_auth

client/server

SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_NULL_MD5

sybpks_domestic

server

SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_NULL_MD5

sybpks_domestic_mutual_auth

client/server

SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_NULL_MD5

sybpks_domestic_anon

none

SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_DH_anon_WITH_DES_CBC_SHA

The sybpks_domestic_anon profile is used for anonymous Diffie-Hellman communications. Neither the client nor the server is authenticated.


Defining security profiles

This section describes how to create, modify, and delete a security profile. All of the configuration tasks require you to first access the Security Profiles folder. To do this, highlight the Security Profiles folder from EAServer Manager.

See Table 13-3 when creating, modifying, or deleting a security profile.

StepsCreating a new security profile

  1. Highlight the Security Profiles folder and choose File | New Security Profile. The Security Profile wizard displays.

  2. Follow the wizard pages to configure the profile properties. For more information on these settings, click Help in the Wizard or see Table 13-3.

The new security profile now appears on the right side of the window when the Security Profiles folder on the left side of the window is highlighted.

StepsModifying an existing security profile

  1. Highlight the security profile you wish to modify.

  2. Choose File | Properties to display the Security Profile Properties dialog box with fields described in Table 13-3.

    Alternatively, choose File | Configuration Wizard to run the configuration wizard. For more information on the wizard settings, click Help in the Wizard or see Table 13-3.

StepsDeleting a security profile

  1. Highlight the profile entry you want to delete.

  2. Select File | Delete Security Profile.

Table 13-3: General, advanced, and Entrust profile properties

Property

Description

Comments/example

Name

The name you give to the security profile.

Description

A description of the security profile.

Use Entrust

Select this check box to use an Entrust ID instead of a certificate contained in the Sybase PKCS #11 token.

Selecting this check box prevents access to the certificates contained in the Sybase token.

Security Characteristic

Select a name from the drop-down list of predefined security characteristics to use for this profile.

See Table 13-2 for a description of security characteristics and the CipherSuites they support.

Description

A description of the selected security characteristic.

Each security characteristic comes with a description of its features.

Sybase PKCS #11 Token Certificate Label

From the drop-down list, enter the certificate label you want to use for this security profile.

If you have not provided the PIN for the Sybase PKCS #11 token, you are prompted for one. This is the same PIN that you enter to access the EAServer Manager | Certificates folder.

If you are using an Entrust ID and click the Use Entrust check box, this property does not appear.

See Chapter 14, “Managing Keys and Certificates” for more information on certificates.

SSL Cache Size

The number of entries in SSL session cache maintained by the server. The default cache size is 30.

See “SSL session caching and reuse”.

SSL Session Share

The number of concurrent connections that can simultaneously use the same session entry (ID) in the session cache. The default session share size is 10.

See “SSL session caching and reuse”.

SSL Session Linger

The duration for which a session entry is kept in the SSL session cache after the last SSL session using this session ID was closed. The default session linger value is eight hours.

See “SSL session caching and reuse”.

Log SSL Errors

When selected, additional information about SSL errors is logged.

Set Defaults

Select the Set Defaults check box to restore all of the advanced settings to their default levels.

Specify the Entrust INI File

Enter the complete path to the Entrust initialization file.

You can use the browse feature to locate this file. For example, on Windows, %SystemRoot%\entrust.ini.

Entrust User Profile

Enter the complete path to the Entrust user profile file.

You can also use the browse feature to locate this file. There is no default.

Entrust Password

The password to the Entrust login for this Entrust user profile.

Allow non-Entrust client

Click this check box to allow non-Entrust clients to connect to listeners that use an Entrust ID.


SSL session caching and reuse

For improved performance, EAServer caches SSL session identifiers and allows clients to reuse them. Since creating an SSL session requires CPU-intensive computations, SSL session reuse results in a relatively large performance gain over setting up completely new security sessions for each connection. The settings on the Advanced tab control how SSL clients can reuse sessions for subsequent and simultaneous connections.

Cached sessions allow the client to reuse a session in a subsequent connection. The SSL Cache Size setting controls how many entries can be cached. Set this to a number less than or equal to the maximum connections setting for the server. The cache requires approximately 64 bytes per entry. The SSL Session Linger value specifies how long cached session IDs remain valid.

The SSL Session Share setting specifies how many simultaneous connections can share one session ID. Session sharing can improve performance when the client opens multiple connections simultaneously. For example, a browser client may open several connections at once to download images linked to an HTML page. Session sharing allows the client to reuse the session for the second and subsequent connections, up to the number of concurrent connections specified by the SSL Session Share value.

NoteThese are advanced SSL parameters. They should be set only by someone who is knowledgeable about SSL.





Copyright © 2005. Sybase Inc. All rights reserved. Configuring listeners